b"   OFFICE OF THE INSPECTOR GENERAL\n\n\n\n\n           EVALUATION OF THE\nU.S. INTERNATIONAL TRADE COMMISSION'S\nFISCAL YEAR 2005 INFORMATION SECURITY\n         PROGRAM AND PRACTICES\n\n\n            AUDIT REPORT\n             OIG-AR-04-05\n\n\n\n\n                                September 27, 2005\n\x0c          UNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                                  WASHINGTON, DC 20436\n\nSeptember 27,2005                                                             IG-CC-014\n\nMEMORANDUM\n\nTO:       THE COMMISSION\n\nWe hereby submit Audit Report No. OIG-AR-04-05, Evaluation ofthe US. International\nTrade Commission's Fiscal Year 2005 Information Security Program and Practices. We\nconducted an independent evaluation of the Commission's information security program\nand practices to determine if the Commission: (1) implemented appropriate actions to\naddress recommendations made in OIG-AR-01-05 (October 6, 2004); and (2) met Federal\nInformation Security Management Act criteria.\n\nThe Commission made limited progress in strengthening its information technology (IT)\nsecurity program during the 2005 fiscal year (FY). The most commendable\naccomplishments include:\n\n      ~   Completing a certification and accreditation package for the Data Web Cluster;\n\n      ~   Performing audits on several systems to evaluate security;\n\n      ~   Separating operational duties from the duties of the system administrator of the\n          travel management system; and\n\n      ~   Eliminating the employee's Social Security number as the required user\n          identification for a major application.\n\nThe Commission must however take significant further action in order to achieve\nconsistency with U.S. Office of Management and Budget (OMB) Circular A-130,\nAppendix III Security ofFederal Automated Information Resources (February, 1996).\nWhile the security process is a continuous cycle of evaluating, improving, and monitoring\ncontrols of the major IT systems, the Commission had not completed many basic steps\ntowards achieving security over its systems. The OIG identified weaknesses in these\nareas as early as 2001, but the Commission has been slow in fully implementing the\nrecommendations. Specifically, the Chief Information Officer (CIO) needs to define\n\x0cbusiness continuity and disaster recovery controls; strengthen security planning and\nprogram management; enhance access controls; enhance segregation of duty controls;\nenhance system software controls; enhance change controls; and strengthen controls over\nbackground investigations.\n\nWe made 23 recommendations to improve the Commission's IT security. In addition to\nthe 9 open recommendations from OIG-AR-01-05 (October 6, 2004), this report makes\n14 new recommendations. The Commission concurred with our findings and\nrecommendations.\n\nWe appreciate the courtesies and cooperation provided to   0':' auditors during this audit.\n\n                                                           ,.      -\xc2\xab:..   \xc2\xa3~;i---\n                                                                Kenneth {. ~larke\n                                                                Inspector General\n\nCC:    Office Directors\n       Cotton & Company LLP\n\x0c"